On 27.02.2013 11:21, Daniel P. Berrange wrote: > On Tue, Feb 26, 2013 at 05:08:40PM +0100, Michal Privoznik wrote: >> Currently, if we label a file to match qemu process DAC label, we >> do not store the original owner anywhere. So when relabeling >> back, the only option we have is to relabel to root:root >> which is obviously wrong. >> >> However, bare remembering is not enough. We need to keep track of >> how many times we labeled a file so only the last restore >> chown()-s file back to the original owner. > > Your patches don't deal with this scenario correctly I'm afraid. > A shared file may be on NFS, so simply ref-counting inside > libvirtd doesn't cut it. We need a ref count visible to all > libvirtd instances that can see the file. My thought is that > we ought to make use of an extended attribute for recording > the ref count and original ownership. > > Daniel > Okay, but I think we should not deal with NFS at all. If a disk is shared libvirt should not event try to label it. And if so, then definitely not relabel it back. Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list